PR: 2314

author Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:15:47 +0000 (12:15 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Sun, 10 Oct 2010 12:15:47 +0000 (12:15 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:15:47 +0000 (12:15 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Sun, 10 Oct 2010 12:15:47 +0000 (12:15 +0000)
diff --git a/CHANGES b/CHANGES

index 76a379376401ca85d6728883d4bce16bee578bf2..2944acae7568b8b926c46c473cb700bb856de1dd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -173,6 +173,9 @@
  
   Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
  
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
    *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
       context. The operation can be customised via the ctrl mechanism in
       case ENGINEs want to include additional functionality.
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index ac21f1925409c484495cc085dabb2bf44fc78fc5..0c1df8ca4794db49f6c5eab272b1c1d26ad74125 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1526,6 +1526,7 @@ int ssl3_get_key_exchange(SSL *s)
                 s->session->sess_cert->peer_ecdh_tmp=ecdh;
                 ecdh=NULL;
                 BN_CTX_free(bn_ctx);
+               bn_ctx = NULL;
                 EC_POINT_free(srvr_ecpoint);
                 srvr_ecpoint = NULL;
                 }
author	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:15:47 +0000 (12:15 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Sun, 10 Oct 2010 12:15:47 +0000 (12:15 +0000)
CHANGES		patch \| blob \| history
ssl/s3_clnt.c		patch \| blob \| history